HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. guest

    guest Guest

    In HMP.A a similar text is displayed if i click on Network Lockdown: "Helps to stop attacks that connect back to command-and-control"
    I think the network related setting in the Sophos Central and Network Lockdown in HMP.A are the same.
    So the option in Sophos Central should disable Network Lockdown :doubt:
    Edit: Sophos Central doesn't have Network Lockdown. See post #13019
     
    Last edited by a moderator: Feb 25, 2017
  2. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,840
    Location:
    the Netherlands
    @erikloman,

    February 10, I reported build 586 did not resolve the CryptoGuard and LibreOffice x86 on Win x64 issue that I reported January 24 and February 3.

    February 11, you replied you were able to reproduce that issue, and that you would come back on the LibreOffice issue that week.

    February 15, it was noticed that build 586 was available for download on the website, so that the release candidate was now release version.
    I supposed that in a week or so, systems that had the previous stable release 3.6.1.574 on it, would get 3.6.3.586 offered by automatic update.
    However, there is no auto update, yet.

    Erik, can you tell us when 3.6.3.586 is planned to be offered by automatic update?

    And also, Erik, could you tell me what is the status of the reported CryptoGuard and LibreOffice x86 on Win x64 issue?
    Will that be fixed in an upcoming beta version?

    It is weekend, and there is no hurry, but it would be great if you could reply next week.
    Thanks very much and have a nice weekend.
     
    Last edited: Feb 25, 2017
  3. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Please allow me to comment.

    Address Space Layout Randomization (ASLR)
    ASLR is a first line of defense against attackers targeting Internet users. ASLR randomizes the location of an application’s code and data in the virtual address space in order to make it difficult for attackers to leak or manipulate the data or reuse the code in order to compromise the application and ultimately the endpoint. Combined with Data Execution Prevention (DEP), ASLR makes it harder to compromise systems.

    ASLR^Cache Attack
    The AnC attack – or ASLR^Cache attack – by VUsec in The Netherlands, can fully derandomize ASLR from JavaScript in a web browser without relying on any software feature. The attack builds on hardware behavior that is central to efficient code execution: the fast translation of virtual to physical addresses in the MMU by means of page tables. It targets a victim’s hardware rather than software component.

    HitmanPro.Alert (HMPA)
    To make applications more resilient to exploit attacks, HMPA applies many code and memory mitigations to applications, including web browsers. HMPA also applies and improves existing ASLR with its Mandatory ASLR and Bottom-Up ASLR memory mitigations. Thanks to these mitigations attackers do not immediately know where critical functions are located in memory, typically for use in an subsequent Return-Oriented Programming (ROP) attack. They need to leverage an additional information disclosure vulnerability or another way to get useable addresses for their attack.

    Impact
    It is important to know that the AnC attack doesn’t immediately lead to full control over the endpoint. The attack needs to be combined with a software vulnerability in e.g. the web browser or its plugins (like Flash), as well as other exploitation techniques. And since most applications, including browsers, already run with ASLR enabled since Windows Vista in 2007, attackers were already required to beat ASLR in order to compromise the endpoint.

    The researchers behind the AnC attack demoed their attack by exploiting CVE-2013-0753 in Firefox 17. An exploit attack on this vulnerability is available in Metasploit and it employs a Stack Pivot and Return-Oriented Programming (ROP) to successfully compromise the machine. Both exploit techniques are detected by HMPA.

    Albeit a totally awesome and novel trick (kudos, hat tip and deep bow to the Dutch team), the AnC attack is simply a new way to bypass ASLR, including the ASLR memory mitigations applied by HMPA. On a large scale, the AnC attack certainly impacts endpoints that are not protected by additional exploit mitigations. So all the more reason to consider deploying an advanced exploit prevention solution like HMPA, as it also detects ROP attacks in real-time with its Hardware Assisted Control-Flow Integrity.
     
  4. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Sophos Intercept X doesn't have HMPA's Network Lockdown. It offers Malicious Traffic Detection (MTD) instead, which is actually quite different.
     
  5. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Network Lockdown is still a complete mystery to me. Maybe you could do a couple of demo videos on YouTube, if you don't want to explain it en detail.
     
  6. guest

    guest Guest

    Thanks for information. I corrected my post.
     
  7. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    Is one license still needed to get both hmp and hmpa.
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Yes, if you buy a HMP.A license. A HMP license only activates HMP.
     
  9. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    Depends on the licence type. If you buy a HMP Enterprise licence it activates HMP.A too as there is no HMP.A licence for business.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for the info, just what I thought. :thumb:

    Yes some more info would be nice, I still don't understand how HMPA decides if certain network connections are suspicious or not.
     
  11. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Nope,
    Krusty is right.
    HMP licence for enterprise is only for HMP, not for HMP.A
    HMP.A for enterprise is now part of Sophos Intercept X
     
  12. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    Would it be overkill to use MemProtect and/or Pumpernickel, if one is already using HMP.A?
     
  13. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    I have an Enterprise licence and am fully aware of Intercept X. HMP Enterprise covers BOTH HMP and HMP.A, I had this confirmed before purchase.

    There is no HMP.A for business.
     
  14. CeeBee

    CeeBee Registered Member

    Joined:
    Nov 20, 2015
    Posts:
    60
    https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-478#post-2626493

    This is a continuation of the above status. Finally installed build 586 (upgraded from 2.6.5) on my legacy Thinkpad T43 laptop. Looks good, so far, however, it seems MBAE (version 1.09.1.1334) no longer functions as it should.

    Once applications are protected/registered by HMPA, there are no fly-outs and no log entries in MBAE telling me that it's working. Not sure what's really happening.

    Yes, I know, everyone says "don't run HMPA and MBAE concurrently", but, I decided to try anyway partly because the What's New for build 584 said: Improved compatibility with MBAE, MBAM v3 and EMET

    Any comments from people smarter than this poster?!
     
  15. guest

    guest Guest

    That's the way it works.
    If you have HMP.A and MBAE installed and you are protecting a browser with both programs, HMP.A prevents MBAE from protecting your browser (or, injecting of the mbae64.dll).
    Only one program should protect it at the same time.

    If i protect the browser with MBAE (but not with HMP.A), i can see this:
    HMPA+MBAE=Cyberfox MBAE-protected.png

    Now i add it in HMP.A:
    HMPA+MBAE=Cyberfox HMPA-protected.png
    HMPA+MBAE=Cyberfox HMPA-protected_.png

    HMP.A makes sure that if you protect applications with HMP.A that only HMP.A is protecting it. That's the reason why you can see no log entries in MBAE.
    After removing it from HMP.A, MBAE takes over and is now protecting it.
     
  16. CeeBee

    CeeBee Registered Member

    Joined:
    Nov 20, 2015
    Posts:
    60
    Thanks, that seems logical. So, does it make sense to uninstall MBAE and just run HMPA? Or, would MBAE take care of some rest-risks not handled by HMPA (like putting a Band-Aid on top of a Band-Aid if you have a bad cut)? Both take CPU and Memory resources .. so less is more most.
     
  17. guest

    guest Guest

    If you look in the list of protected applications in HMP.A and MBAE and they are listing the same applications, then MBAE "has nothing to do" because HMP.A is always protecting them.
    Then it might be better to use only HMP.A.
    Or you can leave it installed, there should be no conflicts (but more resource-usage)
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We have whitelisted this one. Is it still occurring?
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We are auto updating either end of today or tomorrow.

    We are working on a new major version of CryptoGuard which should solve the LibreOffice issue.
     
  20. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Thanks

    The error no longer there.
     
  21. Although a lot of members talk about layered setups, some layered setups have overlap which might lead to unexpected results and conflicts. I would opt to trust the developers you paid for protecting your PC, so in this case I would only use HPMA.
     
  22. CeeBee

    CeeBee Registered Member

    Joined:
    Nov 20, 2015
    Posts:
    60
    Of the programs I use, the way I have configured HMPA, pretty much a 100% overlap. So, not much for MBAE to do .. as it's shut out of the process by HMPA. For now I have uninstalled MBAE .. easy enough to reinstall.

    As regards MBAE as a freestanding program, since its incorporation with MBAM, only a perpetual Beta is available. How long that remains a viable solution nobody knows. I'll play with HMPA on my W7 computer and see how it works out.

    Different topic, I tried build 586 on my (very) old XP Pro computer with P3 and SSE CPU only and the installer crashed. Perhaps the installer requires SSE2...
     
  23. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,840
    Location:
    the Netherlands
    Thanks, Erik, good to know.
    Ah, OK, so no fix right now, but in a later beta.
    Also good to know, thanks very much.
    For now, I will take care not to trigger CryptoGuard with my LibreOffice actions, or I'll disable CryptoGuard for a moment, if I need to.
     
  24. rei

    rei Registered Member

    Joined:
    May 25, 2006
    Posts:
    51
    @erikloman
    Using InterceptX in Sophos Central, is there any way to white-list an executable against triggering CrytoGuard? In our case, it's a PDF conversion program that's being flagged as ransomware after 40+ pages of PDFs.
     
  25. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    Thanks! :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.